- Corporate Security
- Governance, Risk & Compliance
- Information Security
“We don’t have the budget for that”…sound familiar?
We understand that simply putting numbers in your budget just won’t cut it, you’re going to need to justify spend on every new line item. To help you make your case, we have built a simple return on investment tool to help you think through the sources of value and do a rough quantification of the potential return. This exercise is a rough estimate of the potential return on your investment.
Whether the results are a return of $3.00 to $1.00 or $3.11 to $1.00, the real value in this exercise is to help you clearly communicate the source and magnitude of the value and provide leadership with confidence that you will get that return!
The role of a corporate security team is complicated. You know that your job has been done when no one knows that you’ve done your job. Every day you are protecting people and your brand. You give people the confidence to take risks knowing that there is someone to protect them. And, you act as the backstop in the case of once in a lifetime catastrophic event like a terrorist attack or natural disaster. All of these things are true, but as you already know, they are very hard to qualify and quantify.
The good news? You don’t need these variables to make your case. These items are great, soft benefits that can be used to improve your story, but you can definitely make a case based on the more mundane incidents that happen all the time.
For this exercise, we encourage you to think about the 80/20 rule. You manage several different incident types, but which ones contribute the greatest number of incidents and losses? We have built an example list below. Choose your top three to five incidents to start – you can always add more later. We suggest thinking about the ones where the losses are greatest.
For each incident type we have categorized five different forms of losses that you are likely to see in your business.
While not the biggest form of loss, these are often the most numerous as just about every type of incident involves some form of damage to something the business owns.
Incidents like assault, harassment, product counterfeiting or fraud can result in lawsuits.
Many types of incidents can bring the company to the notice of regulators.
Often tied to lost and/or damaged assets. The cost of not being able to use an asset is almost always a bigger cost than the value of the asset itself. For context, think of the lost productivity from a site shutdown (yikes!).
This can be grouped under lost productivity but in some cases (i.e. counterfeiting, shut down of an ecommerce site) calculating lost revenue is simpler and can be very persuasive.
Data breaches usually involve one or more of the above but are worth putting into their own category due to the large costs associated (estimates for the cost of a data breach are in the range of $7 M per breach) and because they are top of mind for most executives.
This can be a bit of a chicken or egg situation. If you are looking for a new system, it is likely (at least in part) because you want to get better quality data. Hopefully you have some basic information to start with.
Here is the data you need:
Once you have entered this into the tool, you will have a measure of your losses per year.
In this exercise you are predicting the future and that can be difficult, especially if you do not have past trends to fall back on. For each incident type we have provided some examples of how an incident and investigations solution will help you reduce incidents and losses, but quantifying how much you can improve is going to be a bit of a sway.
One way to approach this conversation is to start with the statement “what would you have to believe to make this a worthwhile investment?” If a 1% reduction in incidents results in a number greatly above your investment, do you need much more information to make this decision?
For this approach we would suggest estimating your savings by thinking about the smallest improvement you believe can be made and see if that matches up to your investment. Given the size of losses that are typical, it does not take much convincing to pay for a software solution.
The most compelling element of an ROI calculator is the commitment of the person presenting it. To get a return, we need to have impact. Too often, investments are made, and nothing changes. With this ROI exercise, you are working to build credibility in the following ways:
As mentioned earlier, we don’t need to make major savings to pay for this system. The primary thing to watch for is whether current incident levels are indicative of the future. If your business is rapidly growing, your incidents are going to grow. The key is to make a commitment on a reduction from what you expect to happen.
Again, it is important to emphasize that you won’t need to sign up for anything massive. Minimum improvements help to make your case. To punch it up you can show what you expect but given the natural ups and downs of incident numbers, we suggest staying modest!
Earlier we mentioned some of the intangible benefits of implementing a software solution: improving executive protection, being more prepared for catastrophic incidents, and having improved data for better decision making, just to name a few. These are tough things to quantify in an ROI exercise, but they make great add-ons. To help drive your point, choose a couple that you feel would be eye catching for your audience. You don’t want a laundry list. A couple of high impact benefits are far better than 10 mediocre ones.
Getting budget approvals are always hard but the case for an Incident and Investigations Management solution is relatively straight-forward. If you are prepared and willing to make some commitments, we are confident that you will prevail.